Re: Crackers and Worms

Michael I. Bushnell (unmvax!!mike@ucbvax.Berkeley.EDU)
13 Nov 88 22:21:26 GMT

In article <44440@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes:
>In article <1242@ucsd.EDU>, (Jim Hutchison) writes:
>> I'm not presuming they were ignored. *Many* people have been aware of this
>> particular sendmail bug. That was not the purpose of the article. The fact
>> is, that bugs happen. This was a sendmail & finger bug. Before, it was
>> an ftp bug (and a cute one that was). Before that, ...

>I have not been able to find ONE person who claims to
>have known that sendmail compiled with DEBUG on would have allowed
>anyone with SMTP access to run an arbitrary program on their machine.

>The fact that you can run an arbitrary program is such an obvious
>security hole that I can't believe anyone wouldn't report it if they knew.

>So, name 5 of these many people and I'll drop the issue. (I WILL ask
>them why they didn't think it was worth sending to Berkeley as a bug)

Here's one! I noticed this about two months ago. You see, I decided
to write some stuff to filter my incoming mail, and installed it as a
pipe in my .forward. Worked great. Then two questions occurred to
me: 1) What UID will my forwarder run as? and 2) What if the "|..."
syntax occured in a different context?

Some experimentation yeilded answers to the second question: only if
it occurs as an alias or forwarding expansion (naive me...). When
poking around the code looking for the answer to the first question, I
noticed where the cute error message occurs in the second case:

if (a->q_alias == NULL && !tTd(0,1) && !QueueRun && !ForceMail)
        usrerr("Cannot mail directly to programs");
        a->q_flags |= QDONTSEND;

Hmmm...that little tTd check looks at the debug level! Knowing about
the SMTP DEBUG command, I checked it out, and indeed it worked.

I reported this to offsite "official" people...I was informed that
this bug was known, but not to tell anyone because of the danger of
someone using it for a virus.

                N u m q u a m G l o r i a D e o

       \ Michael I. Bushnell
        \ HASA - "A" division
       / \ {ucbvax,gatech}!unmvax!!mike

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT